Vulnerability Development mailing list archives
Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions.
From: swadlow () UTDALLAS EDU (Su Wadlow)
Date: Sat, 22 Apr 2000 18:26:31 -0500
--On Saturday, April 22, 2000 9:02 AM -0500 Ron DuFresne <dufresne () WINTERNET COM> wrote:
Has anyone looked to see if this works on NT and or 2000?
Something I noticed was that the batch file created *two* files. One was the '_á.á------Buffer overflow----blah' file. The other was *supposed* to be something called '_á.á------Blue-screen-of-death------aa....aa12345678?AAAAAAAAAA' but I couldn't get that one in my trials. Note that I don't have a Win98 box to mess with here, so I had to limit myself to Win95 and NT4. :-) First machine: Win95 -------------------- My first attempt was with the batch file verbatim, which as we've found by now, doesn't work. So I changed the ' ' to a '-' and ran the batch file again. I got the '_á.á------Buffer-overflow--blah' file, but when the batch file got to the other one all I got was a "File creation error". Back in Explorer I tried clicking the 'Buffer-overflow' file -- nothing. Double clicking it just brought up the Windows 'Open With' dialog box -- nothing unusual. And I've had no trouble opening this file with either Notepad or WordPad -- I've tried several times both using the Windows 'Open With' box and the apps' Open dialog boxes. Remembering the comment by Markus Kern about the little tool tip thingy (Windows *apps* do use it, even Explorer's toolbar) I looked for something to which to add the file I had gotten, and noticed my Office Shortcut Bar. I was unable to add it there -- I got a message that the file couldn't be added because "The combined lenght of the path to the toolbar folder and the file name must be less than 260 characters." As I had nothing else on my Win95 box to which I could add this filename, to try the tool tip thingy, I decided to move on to NT. Since there's no email app on it, I decided to use FTP to get the .bat file to my NT machine, so I fired up WS_FTP95LE. Enter a brief interlude of surprised, semi-maniacal laughter when I change to the directory containing the .bat file (which also contains the 'Buffer-overflow' file :-) as WS_FTP95LE crashes . . . . WS_FPT95 caused an invalid page fault in module <unknown> at 0000:00000009. Registers: EAX=00000001 CS=0137 EIP=00000009 EFLGS=00010286 EBX=0000002b SS=013f ESP=0067f958 EBP=0067fa0e ECX=86064500 DS=013f ESI=0000039f FS=0e9f EDX=00551000 ES=013f EDI=00000230 GS=0000 Bytes at CS:EIP: 00 5a 09 65 04 70 00 65 04 70 00 54 ff 00 f0 bf Stack dump: 0000013f 00000000 00000300 0067fa0e 0067f99c 0067f984 000089f2 0067f9ce 00417ec2 00000230 bff73663 00000230 0000002b 0000039f 0067fa0e 89cc306f Might *this* be useful in some way? Second machine: NT4.0, SP5 -------------------------- Again, only the 'Buffer-overflow file was created. For the other, NT says that "The filename, directory name, or volume label syntax is incorrect." And I can double click on it and open it in Notepad or Wordpad without a problem. I had wanted to try to FTP the 'Buffer-overflow' file to my Linux box to see what would happen there, but as I had already determined that it would crash my Windows GUI FTP app, and the Windows command line FTP doesn't support passive mode, I had to drop that idea . . . . -- Su Wadlow swadlow () utdallas edu If I have to explain, you wouldn't understand . . . . :-)
Current thread:
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Bob Fiero (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Su Wadlow (Apr 22)
- buffer overflow??? Cyber_Bob (Apr 23)
- Re: buffer overflow??? Przemyslaw Frasunek (Apr 23)
- Re: buffer overflow??? Sebastian (Apr 23)
- Re: buffer overflow??? Markus Kern (Apr 23)
- exploit for W98 long filenameextensions buffer overflow. Laurent Eschenauer (Apr 23)
- Re: buffer overflow??? Blue Boar (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Markus Kern (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Su Wadlow (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 22)
- <Possible follow-ups>
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Thomas Dullien (Apr 23)